Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
P
PEDASI
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Deploy
Releases
Model registry
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Research Software Group
PEDASI
Commits
d4bc8cb4
Commit
d4bc8cb4
authored
6 years ago
by
James Graham
Browse files
Options
Downloads
Patches
Plain Diff
Add check to CsvConnector to prevent downloading of Django files -
#19
parent
80cb0645
Branches
issue-19
No related tags found
No related merge requests found
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
README.md
+4
-2
4 additions, 2 deletions
README.md
datasources/connectors/csv.py
+37
-0
37 additions, 0 deletions
datasources/connectors/csv.py
datasources/models.py
+2
-1
2 additions, 1 deletion
datasources/models.py
pedasi/settings.py
+5
-0
5 additions, 0 deletions
pedasi/settings.py
with
48 additions
and
3 deletions
README.md
+
4
−
2
View file @
d4bc8cb4
...
...
@@ -37,7 +37,9 @@ To deploy using production settings you must:
## Configuring PEDASI
Both PEDASI and Django are able to be configured via a
`.env`
file in the project root.
The only required configuration property is the Django SECRET_KEY which should be a randomly generated
character sequence.
The required configuration properties are:
-
SECRET_KEY - should be a randomly generated value
-
DATABASE_USER
-
DATABASE_PASSWORD - should be a randomly generated value
Other configuration properties are described at the top of
`pedasi/settings.py`
.
This diff is collapsed.
Click to expand it.
datasources/connectors/csv.py
+
37
−
0
View file @
d4bc8cb4
import
pathlib
import
typing
from
django.conf
import
settings
from
.base
import
DataSetConnector
,
DummyRequestsResponse
# TODO this still allows users to access the data of other users
def
in_permitted_directory
(
path
:
typing
.
Union
[
pathlib
.
Path
,
str
])
->
bool
:
"""
Is the file being accessed in a permitted directory?
Permitted directories are:
- MEDIA_ROOT
- BASE_DIR/data - if in debug mode
:param path: File path to check
:return: Is file in a permitted directory?
"""
path
=
pathlib
.
Path
(
path
)
root_path
=
pathlib
.
Path
(
settings
.
MEDIA_ROOT
)
test_files_path
=
pathlib
.
Path
(
settings
.
BASE_DIR
).
joinpath
(
'
data
'
)
if
root_path
in
path
.
parents
:
return
True
elif
settings
.
DEBUG
and
test_files_path
in
path
.
parents
:
return
True
return
False
class
CsvConnector
(
DataSetConnector
):
"""
Data connector for retrieving data from CSV files.
"""
def
__init__
(
self
,
location
:
str
,
api_key
:
typing
.
Optional
[
str
]
=
None
,
auth
:
typing
.
Optional
[
typing
.
Callable
]
=
None
,
**
kwargs
):
if
not
in_permitted_directory
(
location
):
raise
PermissionError
(
'
File being accessed is not within the permitted directory
'
)
super
().
__init__
(
location
,
api_key
,
auth
,
**
kwargs
)
def
get_response
(
self
,
params
:
typing
.
Optional
[
typing
.
Mapping
[
str
,
str
]]
=
None
):
"""
...
...
This diff is collapsed.
Click to expand it.
datasources/models.py
+
2
−
1
View file @
d4bc8cb4
...
...
@@ -221,10 +221,11 @@ class DataSource(BaseAppDataModel):
self
.
data_connector
.
get_metadata
(),
indent
=
4
))
except
(
KeyError
,
NotImplementedError
,
ValueError
):
except
(
KeyError
,
NotImplementedError
,
ValueError
,
PermissionError
):
# KeyError: Plugin was not found
# NotImplementedError: Plugin does not support metadata
# ValueError: Plugin was not set
# PermissionError: File exists outside of permitted directory - not the responsibility of the search record
pass
result
=
'
\n
'
.
join
(
lines
)
...
...
This diff is collapsed.
Click to expand it.
pedasi/settings.py
+
5
−
0
View file @
d4bc8cb4
...
...
@@ -303,3 +303,8 @@ STATICFILES_DIRS = [
os
.
path
.
join
(
BASE_DIR
,
'
pedasi
'
,
'
static
'
),
os
.
path
.
join
(
BASE_DIR
,
'
docs
'
,
'
build
'
),
]
# Media directory - files uploaded by users
MEDIA_URL
=
'
/media/
'
MEDIA_ROOT
=
os
.
path
.
join
(
BASE_DIR
,
'
media
'
)
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment